subuser icon indicating copy to clipboard operation
subuser copied to clipboard

Published 20 hours ago verified publisher icon subuser-security

Invalid path '/root/.subuser': Permission denied

Open lucasbasquerotto opened this issue 6 years ago • 6 comments

Hi!

I use docker and like the idea of running applications in containers, and thought about creating a docker image to run on desktop (for example, connecting to the XServer), but Docker is more focused on the server side and some solutions like passing the socket to the container don't seem good from a security perspective.

Some days ago I saw about subuser and tried to install on my newly created virtual machine (it uses Linux Deepin 15.6).

I followed the steps (as in the docs):

# 1. Add yourself to the sudo group 
# (I was already in the sudo group so this was actually not needed.).
sudo usermod -a -G sudo $USER

# 2. Install python3-pip:
sudo apt-get install python3-pip

# 3. Install subuser
sudo pip3 install subuser

Then I added PATH=$HOME/.subuser/bin:$PATH to the end of my ~/.bashrc file, logged out and logged in.

When I tried to run subsuser, it asked me for a git user and email and I run the commands to add them (this was a newly created VM, as I stated above, so there was no git credentials).

Then the first command I run I received an error:

lucas@lucas-pc:~$ subuser list available
Traceback (most recent call last):
  File "/usr/local/bin/subuser", line 52, in <module>
    command(sys.argv[2:])
  File "/usr/local/lib/python3.5/dist-packages/subuserlib/builtInCommands/list.py", line 64, in runCommand
    reposToList = user.registry.repositories.keys()
  File "/usr/local/lib/python3.5/dist-packages/subuserlib/classes/user.py", line 70, in registry
    self.__registry.ensureGitRepoInitialized()
  File "/usr/local/lib/python3.5/dist-packages/subuserlib/classes/registry.py", line 62, in ensureGitRepoInitialized
    self.gitRepository.run(["init"])
  File "/usr/local/lib/python3.5/dist-packages/subuserlib/classes/gitRepository.py", line 70, in run
    raise GitException(stderr)
subuserlib.classes.gitRepository.GitException: fatal: Invalid path '/root/.subuser': Permission denied

lucas@lucas-pc:~$

It seems it tries to acess /root/.subuser but isn't able to.

From what I read in the docs, it should try to acess ~/.subuser instead. I tried to run subuser with sudo but received the same error.

I also uninstalled subuser and installed with pip3 without sudo in ~/.local/ but it couldn't even import the files (perhaps it has something to do with paths, but I don't know python very well). I couldn't even run subuser version (before, installing with sudo, it showed me 0.6.2 and other info, but most commands wouldn't work with the error above).

In any case, I followed the docs in every step and even tried to run in a brand new virtual machine but no success so far.

Any thoughts about what could be the problem?

I don't know if it's because it's in deepin, but it's linux anyway and docker works fine in it. It seems more like it is trying to use the wrong directory.

lucasbasquerotto avatar Aug 11 '18 15:08 lucasbasquerotto

Are you running as root or as a normal user? What is the value in $HOME?

timthelion avatar Aug 11 '18 21:08 timthelion

That was the 1st thing I tried. But it's not the case (unless there is some linux features I don't know regarding that). But you can see in my logs lucas@lucas-pc (I think if it was root it would be root@lucas-pc).

Anyway, the home is correct:

$ echo $HOME
/home/lucas

But I think that for some reason when I run subuser it runs as root and $HOME ends up like /root/. I don't run with sudo, though, but it asks for the password, so I think it runs with sudo under the hood.

lucasbasquerotto avatar Aug 12 '18 10:08 lucasbasquerotto

@timthelion Do you have any thoughts about what it would be? I'd love to try subuser.

lucasbasquerotto avatar Aug 12 '18 10:08 lucasbasquerotto

Well it is running sudo under the hood: https://github.com/subuser-security/subuser/blob/master/logic/subuser#L51 If you don't want it to run sudo, you can add yourself to the docker group. Then it won't run sudo.

Looking back into the source code, I see that I'm actually not using the $HOME env var, though maybe I should be. What is important though, is that I'm detecting whether subuser is running under sudo by checking the $SUDO_USER env var. https://github.com/subuser-security/subuser/blob/master/logic/subuserlib/classes/endUser.py#L41 Can you please try:

$ sudo bash
# echo $SUDO_USER

On my system the $SUDO_USER env var is set to my username. (Note: sudo echo $SUDO_USER won't work, because the shell will evaluate the $SUDO_USER before sudo is called ;) )

If the $SUDO_USER env var is set, the code should put the .subuser directory in /home/<username>/. If it is not set the code puts it in /root/ and assumes it has permission to do so.

timthelion avatar Aug 12 '18 13:08 timthelion

@timthelion Thanks for your response. The $SUDO_USER env var is set to my username too.

I've created the following script:

test.sh

#!/bin/bash
whoami
echo $SUDO_USER
echo $HOME

When I run bash /home/lucas/Scripts/test.sh I get:

lucas

/home/lucas

When I run sudo bash /home/lucas/Scripts/test.sh I get:

root
lucas
/root

When I run sudo --user=lucas bash /home/lucas/Scripts/test.sh I get:

lucas
lucas
/home/lucas

In the case of subuser, I get the error I mentioned in the first post in all the bellow cases:

subuser list available
sudo subuser list available
sudo --user=lucas subuser list available

lucasbasquerotto avatar Aug 13 '18 23:08 lucasbasquerotto

@timthelion I've never programed in python before, but I've done some search to make simple prints in the console, and found that the problem seems to be in the user.py file, and not in endUser.py.

In endUser.py I see that it enters:

https://github.com/subuser-security/subuser/blob/c04a1bad771e65f2f27f9fc216c49753fa554258/logic/subuserlib/classes/endUser.py#L41

and the $SUDO_USER is lucas. Then it goes to:

https://github.com/subuser-security/subuser/blob/c04a1bad771e65f2f27f9fc216c49753fa554258/logic/subuserlib/classes/endUser.py#L63

and set the homedir with /home/lucas (correct).

But before that, in the file user.py, it enters the line:

https://github.com/subuser-security/subuser/blob/c04a1bad771e65f2f27f9fc216c49753fa554258/logic/subuserlib/classes/user.py#L47

and set homedir with the value /root (wrong).

It seems the command os.path.expanduser("~") is returning /root instead of /home/lucas.

So I've changed:

self.homeDir = os.path.expanduser("~")

to

self.homeDir = os.path.join("/home/", os.environ["SUDO_USER"])

and run subuser list available successfully:

Initial commit.
Cloning repository default from https://github.com/subuser-security/subuser-default-repository.git
Cloning into '/home/lucas/.subuser/repositories/default'...
remote: Counting objects: 2673, done.
remote: Total 2673 (delta 0), reused 0 (delta 0), pack-reused 2673
Receiving objects: 100% (2673/2673), 335.32 KiB | 325.00 KiB/s, done.
Resolving deltas: 100% (1536/1536), done.
arduino@default
arduino-base@default
blender@default
blender-base@default
briquolo@default
briquolo-base@default
docker-in-docker@default
docker-in-docker-base@default
emacs@default
...

This change worked for me. I don't think it will work for everyone (like someone in the docker group), but it seems the line I mentioned above need some changes, like verifying if the home directory path returns /root, and in such a case verify if the $SUDO_USER env var is defined and, if it is, change the path to /home/$SUDO_USER.

Thanks for your attention. I won't close this issue for now assuming you might want to change that line, but if you want I close.

lucasbasquerotto avatar Aug 14 '18 00:08 lucasbasquerotto